1024-bit encrypted, cloud-based garage

1024-bit Encrypted, Cloud-Based Garage

*Desired Encryption level proportional to paranoia

**Cloud-base-edness optional extra

Daniel Ng 2012 @embeddedmelb

What?

• Open your garage door from your phone

• Over Wi-Fi

• Secure-enough

• Could be over the Internet if you really want

Why?

• Garage only had 1 working remote control

• Original replacement cost $200+

• Dodgy after-market replacements

• Phone == Universal Controller

• Just for fun, curiosity, learning.

The Gear

• Original push-button local wired controller

• Any phone with an SSH Client

• Dreamplug (overkill)

• mbed (also overkill)

• Simple transistor switch circuit

Dreamplug

• Fanless Plug Computer

• <5W consumption

• Built-in Wi-Fi Access Point

• Runs Linux

• Many other bells & whistles

Phone

• Phone connects to Dreamplug’s built-in Wi-Fi Access Point

• Phone logs in to Dreamplug with specific username eg. ‘g’

• Use any phone with a SSH Client

• Eg. ‘ConnectBot’ on an Android Phone

• Optional: – ConnectBot also has Public-Key Encryption feature

• Convenience of not having to type a password

Hacking The Dreamplug

• Hack /etc/passwd for user ‘g’: g:x:1000:1000:g,,,:/home/g:/sbin/garage

• Create /sbin/garage: #!/bin/sh

echo "ggg"

echo '1' > /dev/ttyACM0

• Optional: – Create (eg. 1024-bit) public-key pair for

convenience of not having to type password: ssh-keygen

mbed

• 32-bit ARM Core

• USB

• Lots of GPIOs

• Many other bells & whistles

Hacking The mbed

Now What?

• GPIO pin on mbed goes high for 1 sec.

• We want this to cause the button on the old controller to be pressed

– ie. close the circuit across the button terminals

• How?

Transistor Circuit

• Transistor acts as a simple switch

Transistors Simplified

• Current entering the Base flows when the mbed’s GPIO goes HIGH

• The Collector is wired to one of the button terminals

• The Emitter is wired to the other button terminal

• Current entering the Base causes current to flow between the Collector and Emitter ie. closing the circuit between the button terminals

Summary

• Phone connects to Dreamplug’s Wi-Fi Access Point

• Phone logs in

• Dreamplug executes hacked login script which sends a ‘1’ to the USB port

• mbed sees the ‘1’ and turns on the transistor switch

• Transistor switch ‘presses’ the garage door button